Jump to content

I’m Not Sure Where I Messed Up In My Login


TKW22

Recommended Posts

I'm still new at php and mysql and I’m trying to make a login for my site.But I can’t get the password to go.Ether you can enter any password with == or you can't get any password to go with != .heres the code

<?phpinclude_once ('login3.php');require_once('recaptchalib.php');$error_string = '';$publickey = "... ";$privatekey = "... ";# the response from reCAPTCHA$resp = null;# the error code from reCAPTCHA, if any$error = null;# are we submitting the page?if ($_POST["submit"]) {  $resp = recaptcha_check_answer ($privatekey,                                  $_SERVER["REMOTE_ADDR"],                                  $_POST["recaptcha_challenge_field"],                                  $_POST["recaptcha_response_field"]);  if ($resp->is_valid) {if (strlen(trim($name)) > 7){echo 'sorry you name is to long<br/>'; }elseif (strlen($password) > 45){echo 'you pass is to long<br/>';   }elseif (strlen($age) > 3){echo 'come on now no name is that long<br/>';}elseif ($age == '' || $password == '' || $name == ''){echo 'fill out all of login';}       elseif ($nu_row2['name'] != trim($name)  )       {           echo 'sorry no such user';           echo mysql_error();           unset ($name);           die;      }     elseif ($su_row['password'] != $password){     echo 'hello';        die;          }   else {     $_SESSION['user_name'] = $name; echo '<a href="http://domain.com/">go back to </a>'; echo mysql_error();       exit();    }     } else {    # set the error code so that we can display it. You could also use    # die ("reCAPTCHA failed"), but using the error message is    # more user friendly    $error = $resp->error;  }}echo recaptcha_get_html($publickey, $error);?>

Thanks for the helpedit> sorry forgot to get rid of my url

Link to comment
Share on other sites

yea right here.

elseif ($su_row['password'] != $password){echo 'hello';die;}

sorry about that. oh yea i forgot to post the login3.phpso here it is.

<?phpsession_start();        require_once '????.php';        $age = $_POST['age'];        $password = sha1($password['password']);        $name = $_POST['user_name']; $name = stripcslashes($name);$name = mysql_real_escape_string($name);$password = stripcslashes($password);$password = mysql_real_escape_string($password);$age = stripcslashes($age);$age = mysql_real_escape_string($age);  $checkuser = "SELECT name, lastname, age, password FROM users WHERE name='$name' LIMIT 1";   $checkuser2 = "SELECT name, lastname, age, password FROM users WHERE  password='$password' LIMIT 1";$res = mysql_query($checkuser);$res2 = mysql_query($checkuser2);$nu_row = mysql_num_rows($res);$su_row = mysql_num_rows($res2);$nu_row2 = mysql_fetch_assoc($res);$nu_row3 = mysql_fetch_assoc($res2);  ?>

Link to comment
Share on other sites

Are you sure this line is right:$password = sha1($password['password']);Is $password an array with an element called "password"?When you compare here:elseif ($su_row['password'] != $password){$su_row comes from here:$su_row = mysql_num_rows($res2);$su_row is a number, not the user record. I'm not real sure what you're doing with the database there, there's no reason to get one row based on the name and another based on the password. It's also not necessary to keep track of how many rows there are, you can always calculate that. I would get rid of this entire section:

$checkuser = "SELECT name, lastname, age, password FROM users WHERE name='$name' LIMIT 1";   $checkuser2 = "SELECT name, lastname, age, password FROM users WHERE  password='$password' LIMIT 1";$res = mysql_query($checkuser);$res2 = mysql_query($checkuser2);$nu_row = mysql_num_rows($res);$su_row = mysql_num_rows($res2);$nu_row2 = mysql_fetch_assoc($res);$nu_row3 = mysql_fetch_assoc($res2);

and replace it with this:

$checkuser = mysql_query("SELECT name, lastname, age, password FROM users WHERE name='{$name}'");if ($user_row = mysql_fetch_assoc($checkuser))  $user_found = true;else  $user_found = false;

After that, $user_row is your user data from the database if it was found, and $user_found will tell you if it was found or not. You can compare the password against $user_row['password']. You can check $user_found to figure out if a user with the given name exists.Other than that, I advise you to turn on error reporting, this script has a lot of errors that probably aren't showing up for you. You can enable error reporting by adding this to the top:

error_reporting(E_ALL);ini_set('html_errors', 1);ini_set('log_errors', 0);ini_set('display_errors', 1);

Link to comment
Share on other sites

I thought i did but i had them in the wrong place.Heres the errors.

Notice: Undefined index: password in login4.php on line 191Notice: Undefined index: submit in login4.php on line 206Notice: Undefined index: age in login4.php on line 10Notice: Undefined index: user_name in login4.php on line 12fixed Notice: Undefined variable: password in  login4.php on line 15 but now i have Notice: Undefined index: password in login4.php on line 15

Can you tell me what they mean?I'll be back later

Link to comment
Share on other sites

Ok so what do I have wrong here?Heres line 15

$password = $_POST['password'];

heres the html to it

   <p>password: <input type="password" name="password" value="" /></p>

Link to comment
Share on other sites

Heres what i got.

<form method="POST" >          <p>name:  <input type="text" name="user_name" value="" /></p>          <p>password: <input type="password" name="password" value="" /></p>          <p>age: <input type="text" name="age" value="" /></p>          <p><?php          $password = sha1($_POST['password']);$password = trim($password);$password = stripcslashes($password);$password = mysql_real_escape_string($password);require_once('recaptchalib.php');$error_string = '';$publickey = "...";$privatekey = "...";# the response from reCAPTCHA$resp = null;# the error code from reCAPTCHA, if any$error = null;# are we submitting the page?if ($_POST["submit"]) {  $resp = recaptcha_check_answer ($privatekey,                                  $_SERVER["REMOTE_ADDR"],                                  $_POST["recaptcha_challenge_field"],                                  $_POST["recaptcha_response_field"]);  if ($resp->is_valid) {if (strlen(trim($name)) > 7){echo 'sorry you name is to long<br/>'; }elseif (strlen($password) > 45){echo 'you pass is to long<br/>';   }elseif (strlen($age) > 3){echo 'come on now no name is that long<br/>';}elseif ($age == '' || $password == '' || $name == ''){echo 'fill out all of login';}       elseif ($user_row['name'] != trim($name)  )       {           echo 'sorry no such user';           echo mysql_error();           unset ($name);           die;      }     elseif ( sha1($password) != $user_row['password']){        echo $password;     die;          }   else {     $_SESSION['user_name'] = $name; echo '<a href="http://....com/">go back to ....com</a>'; echo mysql_error();       exit();    }     } else {    # set the error code so that we can display it. You could also use    # die ("reCAPTCHA failed"), but using the error message is    # more user friendly    $error = $resp->error;  }}echo recaptcha_get_html($publickey, $error);?></p>          <input type="submit" name="submit" value="submit" />        </form>

Link to comment
Share on other sites

Yeah, you're not checking if the form was submitted before trying to get the password. If you want to check, you can use isset($_POST['password']) to see if post contains a password field. You can also replace these lines:$password = sha1($_POST['password']);$password = trim($password);$password = stripcslashes($password);$password = mysql_real_escape_string($password);with this:

$password = $_POST['password'];if (get_magic_quotes_gpc())  $password = stripslashes($password);$password = sha1(trim($password));

You don't need to use mysql_real_escape_string, there aren't any dangerous characters in a SHA-1 hash.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...